You can migrate users (with their encrypted passwords), and groups from the default embedded WebLogic LDAP server into an alternative authentication provider (for example, OID, external tables, or another LDAP directory). For more information, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

2.1 Working with the Default Users, Groups, and Application Roles

When you install Oracle Business Intelligence, there are a number of preconfigured users, groups, and application roles that you can use to deploy Oracle Business Intelligence. For example, there is a user that is assigned to a BIAdministrators group (with a name that is user-specified at installation time, for example WebLogic), a group named BIAdministrators, and an associated application role named BIAdministrator. The default installed users, groups, and application roles are preconfigured to work together. For example, the installed BIConsumers group is assigned to the BIConsumer application role. For a detailed description of the default security configuration, refer to Appendix B, "Understanding the Default Security Configuration".

Caution:

Oracle recommends that you do not modify the default users, groups, or application roles, unless explicitly advised to do so by Oracle Support. Oracle recommends that you only modify copies that you have made of the installed groups and application roles.

The installed application roles are preconfigured with appropriate permissions and privileges to enable them to work with the installed Oracle BI Presentation Catalog, BI Repository, and Policy Store. For example, the application role named BIAuthor is preconfigured with permissions and privileges that are required to create dashboards, reports, actions, and so on.

Figure 2-1 shows application roles, groups and users that are preconfigured during installation.

The user that is specified at installation time (for example, Weblogic), is automatically assigned to the WebLogic Administrators group named BIAdministrators and to the associated application role named BIAdministrator. The user has permissions to log in to the Oracle Business Intelligence tools to create and administer other users.

Note:

Groups are organized hierarchically, and inherit privileges from parent groups. In other words, the BIAdministrators group automatically inherits privileges from the BIAuthors and BIConsumers groups. Oracle recommends that you do not change this hierarchy.

You can use the installed groups and application roles to deploy security, and if required you can develop your own groups and application roles to meet your business needs. For example:

If you want to enable an employee called Fred to create dashboards and reports, you might create a new user called Fred and assign Fred to the default BIAuthors group.

If you want to enable user Fred to perform BIAuthors and BIAdministrator duties, you might create a new application role called BIManager, which has both BIAuthors privileges and BIAdministrators privileges

If you want user Fred to be a Sales dashboard author, you might create an application role called Sales Dashboard Author that has permissions to see Sales subject areas in the repository and edit Sales dashboards.

2.2 An Example Security Setup Using the Default Groups and Application Roles

This example uses a small set of users, groups, and application roles to illustrate how you set up a security policy using the default groups and application roles. In this example, you want to implement the following:

Three users named User1, User2, and User3, who need to view business intelligence reports.

Two users named User4 and User5, who need to create business intelligence reports.

Two users named User6 and User7, who administer Oracle Business Intelligence.

Figure 2-2 shows the users, groups, and application roles that you would deploy to implement this security model.

The group named BIConsumers contains User1, User2, and User3. Users in the group BIConsumers are assigned to the application role named BIConsumer, which enables the users to view reports.

The group named BIAuthors contains User4 and User5. Users in the group BIAuthors are assigned to the application role named BIAuthor, which enables the users to create reports.

The group named BIAdministrators contains User6 and User7. Users in the group BIAdministrators are assigned to the application role named BIAdministrator, which enables the users to manage repositories.

2.3.1 Setting Up Users, Groups, and Application Roles

This section summarizes recommended approaches for setting up users, groups, and application roles.

The simplest way to set up security is to create users and assign them to the default groups (that is, BIConsumers, BIAuthors, or BIAdministrators).

For example, you might create a user called Fred and assign Fred to the default group named BIAuthors. The BIAuthors group is preconfigured with the privileges it requires to access the other Oracle BI components, such as the Oracle BI repository and Oracle BI Presentation Catalog.

If the default groups (that is, BIConsumers, BIAuthors, or BIAdministrators) do not meet your business requirements, you can extend the default security model by creating your own groups and application roles.

For example, you might want to create a user called Jim and assign Jim to a new group called BIMarketingGroup that is assigned to a new application role named BIMarketingRole.

2.3.2 Creating a New User in the Embedded WebLogic LDAP Server

You typically create a separate user for each business user in your Oracle Business Intelligence environment. For example, you might plan to deploy 30 report consumers, 3 report authors, and 1 administrator. In this case, you would use Oracle WebLogic Server Administration Console to create 34 users, which you would then assign to appropriate groups (for example, you might use the preconfigured groups named BIConsumers, BIAuthors, and BIAdministrators).

A new user who logs in without being assigned to any groups, is given a basic level of operational permissions conferred by the BIConsumer application role, through association with the Authenticated User application role. For more information, see Appendix B, "Default Security Configuration".

Name: Enter the name of the user. See the online help for a list of invalid characters.

(Optional) Description: Enter a description.

Provider: Select the authentication provider from the list that corresponds to the identity store where the user information is contained. DefaultAuthenticator is the name for the default authentication provider.

Password: Enter a password for the user that is at least 8 characters long.

2.3.3 Creating a Group in the Embedded WebLogic LDAP Server

You typically create a separate group for each functional type of business user in your Oracle Business Intelligence environment. For example, a typical deployment might require three groups: BIConsumers, BIAuthors, and BIAdministrators. In this case, you could either use the preconfigured groups named BIConsumers, BIAuthors, and BIAdministrators that are installed with Oracle Business Intelligence, or you might create your own custom groups.

In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring. For example, myrealm.

Select Users and Groups tab, then Groups. Click New

In the Create a New Group page provide the following information:

Name: Enter the name of the group. Group names are case insensitive but must be unique. See the online help for a list of invalid characters.

(Optional) Description: Enter a description.

Provider: Select the authentication provider from the list that corresponds to the identity store where the group information is contained. DefaultAuthenticator is the name for the default authentication provider.

Click OK

The group name is added to the Group table.

2.3.4 Assigning a User to a Group in the Embedded WebLogic LDAP Server

You typically assign each user to an appropriate group. For example, a typical deployment might require user IDs created for report consumers to be assigned to a group named BIConsumers. In this case, you could either assign the users to the default group named BIConsumers, or you could assign the users to your own custom group that you have created.

In Oracle Business Intelligence, you use Fusion Middleware Control to manage application roles and application policies that provide permissions for users and groups. For detailed information about using Fusion Middleware Control, see Oracle Fusion Middleware Administrator's Guide.

If you are using the default groups (that is, BIConsumers, BIAuthors, and BIAdministrators) that are installed with the default embedded WebLogic LDAP Server, then these groups are assigned to an appropriate application role (that is, BIConsumer, BIAuthor, or BIAdministrator). No additional steps are required to assign the default groups to application roles.

The simplest way to set up security is to assign your groups to the default application roles, (that is, BIConsumer, BIAuthor, and BIAdministrator). Each default group is preconfigured to use the appropriate default application role. For example, the default group named BIAuthors is assigned to the default application role named BIAuthor. In other words, any users that you add to the default group named BIAuthors automatically have the privileges required to create reports and perform related duties.

If you want to create a more complex or fine grained security model, you might create your own application roles and application policies as described in this section. For example, you might want report authors in a Marketing department to only have write-access to the Marketing area of the metadata repository and Oracle BI Presentation Catalog. To achieve this, you might create a new application role called BIAuthorMarketing, and provide it with appropriate privileges.

Caution:

If you are deploying the default Policy Store, then Oracle recommends that you make a copy of the original system-jazn-data.xml policy file and place it in a safe location. Use the copy of the original file to restore the default policy store configuration, if needed. Changes to the default security configuration might lead to an unwanted state. The default location is MW_HOME/user_projects/domain/<your_domain>/config/fmwconfig.

To set up the application roles that you want to deploy, do the following:

2.4.2.1 Overview

In a new Oracle Business Intelligence deployment, you typically create an application role for each type of business user activity in your Oracle Business Intelligence environment. For example, a typical deployment might require three application roles: BIConsumer, BIAuthor, and BIAdministrator. In this case, you could either use the preconfigured application roles named BIConsumer, BIAuthor, and BIAdministrator that are installed with Oracle Business Intelligence, or you could create your own custom application roles. For more information about the default application roles, see Section 2.1, "Working with the Default Users, Groups, and Application Roles".

Oracle Business Intelligence application roles represent a role that a user has. For example, having the Sales Analyst application role might grant a user access to view, edit and create reports on a company's sales pipeline. You can create new application roles to supplement or replace the default roles configured during installation. Keeping application roles separate and distinct from the directory server groups enables you to better accommodate authorization requirements. You can create new application roles to match business roles for your environment without needing to change the groups defined in the corporate directory server. To control authorization requirements more efficiently, you can then assign existing groups of users from the directory server to application roles.

Note:

Before creating a new application role and adding it to the default Oracle Business Intelligence security configuration, familiarize yourself with how permission and group inheritance works. It is important when constructing a role hierarchy that circular dependencies are not introduced. For more information, see Section B.4.4, "How User Permissions Are Granted Using Application Roles".

2.4.2.2 Creating an Application Role

Create New - Creates a new application role. You can add members at the same time or you can save the new role after naming it, and add members later.

Copy Existing - Creates an application role by copying an existing application role. The copy contains the same members as the original, and is made a grantee of the same application policy as is the original. Modifications can be made as needed to the copy to further customize the new application role.

Membership in an application role is controlled using the Application Roles page in Fusion Middleware Control. Valid members of an application role are users, groups, and other application roles.

ClickCreate to display the Create Application Role page. You can enter all information at once or you can enter a Role Name, save it, and complete the remaining fields later. Complete the fields as follows:

In the General section:

Role Name - Enter the name of the application role

(Optional) Display Name - Enter the display name for the application role.

(Optional) Description - Enter a description for the application role.

In the Members section, click Add to display the Add Principal page.

In the Add Principal page search for members to assign to the current application role, as follows:

Select Application Role, Group, or Users from the Type field drop down list.

Optionally enter search details into Principal Name and Display Name fields.

Click the search button.

Select from the results returned in the Searched Principals box.

Click OK to return to the Create Application Role page.

Repeat the steps until all desired members are added to the application role.

Click OK to return to the Application Roles page.

The application role just created displays in the table at the bottom of the page.

To create an application role based on an existing one:

Log in to Fusion Middleware Control, and display the Application Roles page.

The newly-created application role displays in the table at the bottom of the page. Figure 2-7 shows the newly-created application role named MyNewRole that is based upon the default BIAuthor application role.

2.4.2.3 Assigning a Group to an Application Role

You assign a group to an application role to provide users in that group with appropriate security privileges. For example, a group for marketing report consumers named BIMarketingGroup might require an application role called BIConsumerMarketing, in which case you assign the group named BIMarketingGroup to the application role named BIConsumerMarketing.

To assign a group to an application role:

Log in to Fusion Middleware Control, and display the Application Roles page.

Click Delete, then click Yes, to confirm deletion of the application role.

2.4.3 Creating Application Policies Using Fusion Middleware Control

You can create application roles based on default preconfigured application policies, or you can create your own application policies.

Application policies do not apply privileges to the metadata repository or Oracle BI Presentation Catalog objects and functionality.

All Oracle Business Intelligence permissions are provided as part of the installation and you cannot create new permissions. The application policy is the mechanism that defines the permissions grants. Permission grants are controlled in the Fusion Middleware Control Application Policies page. The permission grants are defined in an application policy. An application role, user, or group, is then assigned to an application policy. This process makes the application role a grantee of the application policy.

There are two methods for creating a new application policy:

Create New - Create a new application policy and permissions are added to it.

Copy Existing - Create new application policy by copying an existing application policy. The copy is named and existing permissions are removed or permissions are added.

Whether or not the obi application stripe is pre-selected and the Oracle Business Intelligence application policies are displayed depends upon the method used to navigate to the Application Policies page.

If necessary, select Application Stripe and obi from the list, then click the search icon next to Name.

Select the desired Oracle Business Intelligencer permission and click Continue.

Modify permission details if required in the Customize page, then click Select to add the permission.

You are returned to the Create Application Grant page. The selected permissions display in the Permissions area.

Repeat until all desired permissions are selected.

Selecting non-Oracle Business Intelligence permissions have no effect in the policy.

To remove a permission, select it and click Delete.

To add an application role, group, or user to the policy being created, click Add in the Grantee area to display the Add Principal page.

Complete the Search area and click the blue search button next to the Display Name field.

Select a principal from the Searched Principals list.

Click OK to display the Create Application Grant page.

Click OK.

You are returned to the Application Policies page. The Principal and Permissions of the policy created are displayed in the tables. The following figure shows the new application policy just created with MyNewRole application role as the grantee (Principal). Description of the illustration em_newpolicy06.gif

To create an application policy based on an existing one:

Log in to Fusion Middleware Control, and display the Application Policies page.

2.4.4Modifying Application Roles Using Fusion Middleware Control

You can modify an application role by changing permission grants of the corresponding application policy (if the application role is a grantee of the application policy), or by changing its members, and by renaming or deleting the application role as follows:

2.4.4.1 Adding or Removing Permission Grants from an Application Role

Use this procedure if you want to change the permission grants for an application role. This is done by adding or removing the permission grants for the application policy which the application role is a grantee of.

To add or remove permission grants from an application policy:

Log in to Fusion Middleware Control, and display the Application Policies page.

Whether or not the obi stripe is pre-selected and the application policies are displayed depends upon the method used to navigate to the Application Policies page.

If necessary, select Application Stripe and obi from the list, then click the search icon next to Role Name.

The Oracle Business Intelligence application policies are displayed. The Principal column displays the name of the policy grantee.

Select the application role from the Principal column and click Edit.

Add or delete permissions from the Edit Application Grant view and click OK to save the changes.

2.4.4.2Adding or Removing Members from an Application Role

Members can be added to or deleted from an application role using Fusion Middleware Control. You must perform these tasks in the WebLogic Domain where Oracle Business Intelligence is installed (for example, in bifoundation_domain). Valid members of an application role are users, groups, or other application roles. Being assigned to an application role is to become a member of an application role. Best practice is to assign groups instead of individual users to application roles.

Note:

Be very careful when changing the permission grants and membership for the default application roles. For example, the BISystem application role provides the permissions required for system communication and changes to it could result in an unusable system.

To add or remove members from an application role:

Log in to Fusion Middleware Control, and display the Application Roles page.

Whether or not the obi application stripe is pre-selected and the application policies are displayed depends upon the method used to navigate to the Application Roles page

If necessary, select Application Stripe and obi from the list, then click the search icon next to Role Name.

The Oracle Business Intelligence application roles are displayed.

Select the cell next to the application role name and click Edit to display the Edit Application Role page.

You can add or delete members from the Edit Application Role page. Valid members are application roles, groups, and users.

To delete a member, select the Name of the member to activate the Delete button, then click Delete.

To add a member click the Add button to display the Add Principal page.

Search for members to assign to the current application role, as follows:

Select Application Role, Group, or Users from the Type field drop down list.

Optionally enter search details into Principal Name and Display Name fields.

Click the search button.

Select from the results returned in the Searched Principals box.

Click OK to return to the Create Application Role page.

Repeat the steps until all desired members are added to the application role.

The added member displays in the Members section corresponding to the application role modified in the Application Roles page. For example, the following figure shows the Edit Application Role page for the MyNewRole application role after the Operators group has been added.

Click OK in the Edit Application Role page to return to the Application Roles page.

The members just added to the application role display in the Membership for section. If members were deleted, they no longer display.

The following figure shows the MyNewRole application role with the recently added member Operators group displaying.

2.4.4.3 Renaming an Application Role

You cannot directly rename an existing application role; you can only update the display name. To rename an application role you must create a new application role (using the same application policies used for the deleted application role), and delete the old application role. When you create the new application role, you specify a new name. You must also update any references to the old application role with references to the new application role in both the Oracle BI Presentation Catalog and the metadata repository.

To rename an application role:

Create a new application role using a new name.

Use the Create Like option to include the settings of the old application role in the new application role.

2.5.1 Overview

You use Identity Manager in the Oracle BI Administration Tool to manage permissions for application roles, and set access privileges for objects such as subject areas and tables. For an overview about using the Oracle BI Administration Tool to configure security, see Section 1.6.3, "Using Oracle BI Administration Tool".

2.5.2 Setting Repository Privileges for an Application Role

The default application roles (that is, BIConsumer, BIAuthor, and BIAdministrator) are preconfigured with permissions for accessing the metadata repository. If you create a new application role, you must set appropriate repository permissions for the new application role, to enable that role to access the metadata repository.

In the Presentation panel, navigate to the subject area or sub-folder for which you want to set permissions.

Right-click the subject area or sub-folder and select Properties to display the properties dialog.

For example, to provide access to the Paint subject area, right-click Paint.

Click Permissions to display the Permissions <Name> dialog.

Note:

Ensure that the Show all users/application roles check box is selected.

Use the Permissions <Name> dialog to change the security permissions for application roles in the User/Application Role list.

For example, to enable users to create dashboards and reports, you might change the repository permissions for an application role named BISalesAnalysis from 'Read' to 'Read/Write'.

Note:

Best practice is to modify permissions for application roles, not modify permissions for individual users.

To see all permissions for an object in the Presentation pane, right-click the object and choose Permission Report to display a list of users and application roles and what permissions that have for the selected object.

Application role definitions are maintained in the policy store and any changes must be made using the administrative interface. The repository maintains a copy of the policy store data to facilitate repository development. The Oracle BI Administration Tool displays application role data from the repository's copy; you are not viewing the policy store data in real time. Policy store changes made while you are working with an offline repository are not available in the Administration Tool until the policy store next synchronizes with the repository. The policy store synchronizes data with the repository copy whenever the BI Server restarts; if a mismatch in data is found, an error message is displayed.

While working with a repository in offline mode, you might discover that the available application roles do not satisfy the membership or permission grants needed at the time. A placeholder for an Application Role definition can be created in the Administration Tool to facilitate offline repository development. But this is just a placeholder visible in the Administration Tool and is not an actual application role. You cannot create an actual application role in the Administration Tool. You can create an application role only in the policy store, using the administrative interface available for managing the policy store.

An application role must be defined in the policy store for each application role placeholder created using the Administration Tool before bringing the repository back online. If a repository with role placeholders created while in offline mode is brought online before valid application roles are created in the policy store, then the application role placeholder disappears from the Administration Tool interface. Always create a corresponding application role in the policy store before bringing the repository back online when using role placeholders in offline repository development.

For more information about how to create a placeholder for an application role during repository development, see Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.

2.6 Managing Presentation Services Privileges Using Application Roles

This section explains how to manage Presentation Services privileges using application roles in Presentation Services Administration Manage Privileges page, and contains the following topics:

2.6.1 Overview

Privileges that are stored in Presentation Services control access to features such as the creation of analyses and dashboards. The default Oracle Business Intelligence application roles (BIAdministrator, BIAuthor, BIConsumer) are automatically configured with these privileges during installation, in addition to the Oracle Business Intelligence application policy permissions.

Systems upgraded from a previous release can continue to use Catalog groups to grant these privileges, but this is not considered a best practice. Best practice is to use application roles to manage privileges, which streamlines the security management process. For example, using the same set of application roles throughout the system eliminates the need to manage a separate set of Catalog groups and member lists. For more information regarding how to continue using upgraded Catalog groups to manage Presentation Services privileges, see Section A.2.1, "Changes Affecting Security in Presentation Services".

Note:

Assigning an application role to be a member of a Catalog group creates complex group inheritance and maintenance situations and is not considered a best practice.

When groups are assigned to application roles, the group members are automatically granted associated privileges in Presentation Services. This is in addition to the Oracle Business Intelligence permissions.

Tip:

A list of application roles that a user is a member of is available from the Roles and Groups tab in the My Account dialog in Presentation Services.

2.6.2 About Presentation Services Privileges

Presentation Services privileges are maintained in the Presentation Services Administration Manage Privileges page, and they grant or deny access to Presentation Services features, such as the creation of analyses and dashboards. Presentation Services privileges have no effect in other Oracle Business Intelligence components.

Being a member of a group assigned to a default application role grants Presentation Services privileges, in addition to the Oracle Business Intelligence permissions discussed in Section B.4.1.3, "Default Application Roles, Permission Grants, and Group Mappings". The Presentation Services privileges granted by a default application role can be modified by adding or removing default privilege grants using the Manage Privileges page in Presentation Services Administration.

Whenever a new catalog is created, it is populated with the default application role to Presentation Services privilege mappings. If you have changed the default mappings and want to see the default associations, create a new catalog by pointing to a file location where no catalog exists. When Presentation Services starts, a catalog is created as part of the initialization process.

Presentation Services privileges can be granted to users both explicitly and by inheritance. However, explicitly denying a Presentation Services privilege takes precedence over user access rights either granted or inherited as a result of group or application role hierarchy.

2.6.3 Setting Presentation Services Privileges for Application Roles

If you create an application role, you must set appropriate Presentation Services privileges to enable users with the application role to perform various functional tasks. For example, you might want users with an application role named BISalesAdministrator to be able to create Actions in Oracle Business Intelligence. In this case, you would grant them a privilege named Create Invoke Action.

Presentation Services privileges cannot be assigned using the administrative interfaces used to manage the policy store. If you create a new application role to grant Oracle Business Intelligence permissions, then you must set Presentation Services privileges for the new role in addition to any Oracle Business Intelligence permissions.

Use the Privilege <privilege_name> dialog to add application roles to the list of permissions, and grant and revoke permissions from application roles. For example, to grant the selected privilege to an application role, you must add the application role to the Permissions list.

Add an application role to the Permissions list, as follows:

Click Add Users/Roles.

Select Application Roles from the list and click Search.

Select the application role from the results list.

Use the shuttle controls to move the application role to the Selected Members list.

Click OK.

Set the permission for the application role by selecting Granted or Denied in the Permission list.

Note:

Explicitly denying a Presentation Services permission takes precedence over user access rights either granted or inherited as a result of group or application role hierarchy.

Save your changes.

Note:

Existing Catalog groups are migrated during the upgrade process. Moving an existing Oracle BI Presentation Catalog security configuration to the role-based Oracle Fusion Middleware security model based requires that each Catalog group be replaced with a corresponding application role. To duplicate an existing Presentation Services configuration, replace each Catalog group with a corresponding application role that grants the same Oracle BI Presentation Catalog privileges. You can then delete the original Catalog group from Presentation Services.

The BI Server and Presentation Services client support industry-standard security for login and password encryption. When an end user enters a user name and password in the web browser, the BI Server uses the Hypertext Transport Protocol Secure (HTTPS) standard to send the information to a secure Oracle BI Presentation Services port. From Oracle BI Presentation Services, the information is passed through ODBC to the BI Server, using Triple DES (Data Encryption Standard). This provides a high level of security (168 bit), preventing unauthorized users from accessing data or Oracle Business Intelligence metadata.

2.7Managing Data Source Access Permissions Using Oracle BI Publisher

This section discusses managing the data source access permissions that are stored in Oracle BI Publisher, using the Oracle BI Publisher Administration pages. Data source access permissions control application role access to data sources. A user must be assigned to an application role which is granted specific data source access permissions to enable the user to perform the following tasks:

To enable high availability of the default embedded Oracle WebLogic Server LDAP identity store in a clustered environment, you configure the virtualize attribute. When you set the virtualize attribute value to true, Managed Servers can use a copy of the embedded default Oracle WebLogic Server LDAP identity store.

2.9 Attaching a Global Policy for Web Services in the BI Domain

Local policy attachments are not installed with Oracle Business Intelligence web services. If you install or upgrade to Release 11.1.1.7.0 (and higher), then you must perform the following to add a Global Policy Attachment (GPA) to the BI domain.

To attach a global policy for web services in the BI domain:

Log in to Fusion Middleware Control.

In the left pane, click WegLogic Domain, and then click bifoundation_domain.

In the right pane, click the WebLogic Domain menu and select Web Services and then Policy Sets.

Click Create to create a new policy set.

Enter the following general information:

Name - Enter any name you choose.

Enabled - Select this box.

Type of Resources - Web Service Endpoint.

Description - This GPA will be applied for all JRF-based web services.